A case for a more secure Facebook

This past week, a few of us at the office logged into Facebook to discover our accounts had been locked. A few months ago, this would have been a bigger issue for us, but this week the two times we were all locked out were mild annoyances and an opportunity to change our passwords.

The reason our accounts were locked weren’t apparently clear. Facebook blamed “a cybercriminal”, but speaking for myself, I knew I used a very secure password and even if someone had managed to crack it, it was unlikely they’d have been able to crack the rest of our accounts simultaneously (twice, no less). Eventually, we were able to narrow it down to one of our pages sharing politically controversial content, which was being reported as malicious by people who didn’t agree with the content.

But despite the fact that our passwords were safe the whole time, we all had to change our passwords (twice) and before we knew what was going on, there was some tension that someone had actually gained access to our accounts. So it brings up a good opportunity for me to discuss something I’ve wanted to talk about for a while.

Sometimes you’re not even looking for a blog topic and one just smacks you in the face.

I got a call from a cousin this evening who reported that both her e-mail and Facebook account had been hacked. I personally set up the e-mail account (circa 1999) with a very basic password. To this day it had not been changed, and a simple derivative of that password was used for her Facebook account. Thus, while I don’t know for sure how the accounts were hacked, I can infer that when one fell, the other did as well. This hacker had changed the passwords to both of her accounts, leaving her locked out.

I told my cousin how to go about regaining access to her accounts, and hung up the phone. But my mind dwelled a bit – for years, I’ve used the same password on most of my accounts. This password isn’t particularly complex (normally scores a medium when it goes through a password meter), but I’ve rested easy knowing that most account hacking comes through phishing these days, and I’m pretty smart about what I click.

It occurred to me though, that my publicly accessible username to many sites is the same I use to log in, making a potential password cracker’s job half as hard (if you’re trying to get into a lock, it’s hard if you don’t have the key, but it’s even harder when you don’t know where the lock is).

Thus, there were a lot of things working against me: searching my name in Google yields at least 4 pages of search results related to my “web presence” (sorry about the word choice, Mike), I used the same password across most of those services, and that password wasn’t incredibly strong to begin with. That doesn’t even account for the possibility of another RockYou (and let’s face it: the odds for are much greater than the odds against).

So I decided it was time, and set about changing my passwords to all my major accounts (the ones I really care about, anyway). I started with Facebook, moved to my e-mail and Twitter and then my banks.

(Seriously, how messed up is my thought process? And make fun of me if you must, but you know your priorities are exactly the same.)

So I got to my online credit card account. I have a Starbucks Duetto Visa, which is administered by Chase, so I went to chase.com, logged in, and after noticing one of my phone numbers was no longer correct and fixing it, set about changing my password. I chose my password, entered my old one, and entered the new one twice.

Here was the response:

I thought I must have done something wrong at first, but sure enough, after closer inspection of the password change form, I found:

What. The. Crap. I understand the fourth one. The last one doesn’t really make a lot of sense since Chase doesn’t enforce a regular password change anyway. I can understand the second one, but while good practice, the fact that you’re limited like that hurts your password’s security statistically. My confusion in this post, however, is mostly directed at bullet points 1 and 3 here.

Firstly, let’s cover what those two points imply. This means (in all likelihood, anyway) that either my Chase password is stored in plaintext in whatever database they use, or it’s two-way encrypted: that is, given an unencrypted password it can create a ciphertext, and given that same ciphertext it can reproduce your original password.

Non-developers may wonder what the alternative here is: the alternative is a hash, which is a one-way encryption algorithm that, given a plaintext password, can easily make a ciphertext, but given a ciphertext, cannot or cannot easily reproduce the original password. So when you log in to site using a a one-way encrypted password, the site knows how to generate that encrypted text from your password, and simply compares the encrypted text.

So here’s the downside: what if you forget your password? It’s really hard to get back to the plaintext password just given the ciphertext password, so really the only option is to reset the password to some random new password, somehow communicate what that password to you, and let you log in and change it to something you know.

But the upside: storing a one-way encrypted password is easier. For the most part, one-way encryption produces a ciphertext that is the same length each time, making the design of the database easier and more predictable. Also, most one-way functions produce a ciphertext that is simply a number.

Here’s what that means: type in a password of any length, with any symbols you want, and the encryption function and your database can handle it. You don’t need to worry about capping your users’ password length or limiting the symbols they use. Facebook, Twitter, and other sites that don’t limit your password (within reason) use one-way encryption. Based on the errors shown here, it’s clear that Chase uses two-way.

Chase isn’t the only site to do it. In fact, most enterprise sites limit your password length (although, not letting you use symbols is a low blow). But why? By letting in a wider variety of passwords, your Facebook password is potentially safer than your bank password. Is this really what we want?

I understand that banks need to use stronger encryption (and the strongest algorithms are two-way, but take a long time to implement and execute, so are only used when necessary), but why not one-way encrypt the ciphertext of the two-way encrypted password? To me, this seems like the best of both worlds: the speed and flexibility of the one-way encryption; the increased security of two-way encryption.

The only thing this loses, I think, is the ability to simply tell the user their old password if they forget it. Is that what banks are afraid of?

As a postscript, I managed to find a password that is secure for my credit card account. But statistically, my coins in FarmVille (if I played that game) and the status of my pokes on Facebook are safer than my credit card details and transactions. Something is definitely wrong here.

Ever since its introduction in 1936, your Social Security number has served as your United States Employee ID number. It’s used to verify your credit when you sign up for a credit card or buy a car, it’s used to verify your identity when filling out government forms, and it’s used to keep your medical record where it’s supposed to be.

Unfortunately, there are a ton of problems with this system. It was never meant to be an ID number for any program except the Social Security program, but in lieu of an official alternative, it’s been misused and overexposed. Worse yet, since your Social Security number never changes, many private institutions use it as your ID number. Ever have to write the last four digits of your Social Security number on a college exam? Ever need to enter it to recover a lost password? The more it’s used, the easier it is to steal. Even if you only surrender the last four digits, an astute snooper can determine what the rest of it is based on where you were born. We need a better alternative. We need a way for US citizens to confirm their identity that is just as secure for private companies as it is the government. The solution, I believe, is public-key cryptography.

For those not well-versed in cryptography, I’ll use the common example. Suppose Alice wants to send a message to Bob without a third party, Eve, being able to intercept it. Bob, being the secure guy he is, has published a public key (a key is a long string of characters that represents a number which is used to encrypt the data mathematically). In other words, Bob can tell Alice his public key any way he wants – even if Eve knows the public key, the message is safe. This is the beauty of public-key cryptography: anyone can encrypt a message and send it to Bob, and then all Bob has to do is use his private key, a seperate key which he tells no one, to decrypt and read the message. The two keys are mathematically related, but if the key is a large enough number, it’s nearly impossible to determine the private key from the public key. Only the private key will decrypt the message.

How does this relate to replacing Social Security numbers? Instead of everyone being issued a Social Security number upon birth, we issue a public and private key to each person when they’re born. The public key goes on their birth certificate, driver’s license, and really anywhere it needs to go. The private key goes in one place and is stored safely.

Skip ahead to when the person applies for a credit card and identification is needed to make sure the person is who they say they are.

The person fills out an online application including name, address, etc. The application also includes a field for the public key.

Upon submission, the web site generates a random code and encrypts it using the the person’s private public key, and stores it in a text file. The server redirects the person to a form where he can download the text file and enter the code.

The user downloads the encrypted text file and using software built-in to a secure thumb drive, decrypts the file using his private key. He copies and pastes the resulting code on the web site.

The web site confirms that the code entered matches the code stored in the file. If it does, the user is who they say they are. If not, they’re not.

There are a couple issues with this system. For one, computer access is required. This isn’t a dealbreaker; basically, it would add another step to paper forms, where you’d fill out most of the form and write in your public key, then go to a computer and grab a confirmation code and write that down too. The server would need to store the confirmation code and the public key associated with it for a long enough period of time to ensure the application gets handled and verified. Second, and more importantly, computer literacy is required. I mentioned that the software should be on a thumb drive to make it easier, but that would still require some education on how to use the software built-in to encrypt and decrypt the keys, and what the difference is between your public and private key. Third, and most importantly, security would be of the utmost importance. The private key must only exist in two places, tops: a secure thumb drive (protected by a thumbprint or something similar) and a government registration system (used in case the thumb drive needs to be replaced). The thumb drive would need to be impenetrable; both the hardware and the software on the thumb drive would need to be reviewed by as many security experts as possible before deployment and reviewed often.

But the benefit from this system is worth it. Everyone’s identity is not only protected, it is mathematically secure. Where current Social Security numbers have (at most) at 1 in 1 billion (1 × 109) chance of being guessed (and as I said earlier, the odds are probably much lower), a 1024-bit key system would a 1 in 21024 ≈ 1.79 × 10309. Not only is the odds of guessing your identity lower, but providers are able to verify your identity without knowing anything that should remain as private as possible; the only things that would know your private key are your thumb drive and that database – you would never even have to see it.

Do I think this will happen anytime soon? Absolutely not. A change of this magnitude would cost billions of dollars, and over 25% of the current US population does not use the Internet. But it should, at some point. Our personal security and privacy is our most important asset, and we need to change how we protect it.

With such a large portion of the computing population threatened, I guess I shouldn’t have been surprised to hear my local radio station, WTAM, interviewing an expert on the subject on this morning’s Wills and Snyder show. I was surprised, however, to hear who the “expert” worked for:

I haven’t really mentioned Geek Squad in this blog yet, but those of you who talk to me in person probably know my feelings on this organization.

To put it bluntly, portraying Geek Squad as an expert on anything computer-related would be just about as believable as Michael Scott being called to CTU to replace Jack Bauer (since Jack is indisposed, currently).

The fact that Geek Squad exists isn’t really avoidable – it’s a market that really had no competition (at least on that level – you might have your neighborhood computer guy, or you might have your nationwide tech support company for hardware issues or Windows or other software, but nothing that’s all-encompassing) when Best Buy entered it, so it made a lot of business sense for Best Buy to do so. Why WTAM had them on the air, though, is beyond me. Surely they could have found someone from Microsoft’s local headquarters to talk about it for a few minutes. Surely they could have gotten a professor from CSU or a professor from Case to talk about it. Surely they could have gone down to their own IT department and brought that guy up to talk about it.

Instead, someone from Geek Squad showed up. Now to be fair, the guy wasn’t completely incompetent. He recommended patching your computer, using anti-virus software and using a firewall. Let me assure you: this is the best Geek Squad has to offer, and even if you see one person like this at your local Best Buy, the rest of the team is not like that.

I implore you: don’t go to Geek Squad for anything. They’ll cause more harm than good.

Today I’m blogging from high atop the Nord building on campus, on the fifth floor with a comfy cubic meter of space in one of the hallways. I like sitting here sometimes when I’m bored because it’s quiet, it’s peaceful, and it makes me look like a hobo, which I’m a huge fan of.

An executive decision from the offices of Jimmy Sawczuk: no more regular game recaps. They didn’t seem to be that popular, they’re kind of a pain to write because I usually have to adhere to that format, and writing those every day kept me away from blogging about other things. Never fear, if there’s a game I want to talk about, I’ll talk about it.

While on the topic of the game recaps, I’d like to thank aimable for his comment on my last post. Part of his comment, the part before he starts spamming, reads:

Yankees are the best team in the MLB, as far as I m concerned, we have great fans, and really the whole city of New York will say that. In New York if you want to watch the Yankees in style good luck with that, all the Yankees premium seats get sold out and are highly priced.

Why, aimable, would you ever say that? They’re not even the best in their division, much less the rest of the league. I like the Yankees hitters (when they’re hitting anyway) and I like the back end of the bullpen, but most of that team is just old – and as much as it pains me to say this, Boston should wipe the floor with them this year.

aimable did manage to prove my point about Yankees fans and Red Sox Nation however: no matter what the numbers say, no matter what the facts are, their teams, to them, are the absolute best in baseball. Right now, the Oakland Athletics are three games better than the Yankees, and you don’t see them walking around saying, “worship the Oakland A’s!”. I don’t doubt the Yankees will make the playoffs this year (although I think I had them missing the Wild Card to the Tigers), but I can’t imagine them getting out of the Division series.

I noticed something new on CNN.com today. Next to a few of the headlines, they have a little T-shirt icon:

Being the inquisitive soul that I am, I clicked it, and was directed to this page:

I can’t make this stuff up, folks. Seriously! You can have a T-shirt with the words: “Smuggled workers turned into slaves.” At first, I had to look at my calendar, I was sure it was an April Fool’s joke. But no, this is completely legitimate.

Now, I chose a headline that is controversial to show the bad side of this little ploy. But what’s the good side? Are there some Democrats just sitting on CNN.com 24/7 waiting for the headline: “Bush says he’s an idiot”, or maybe some Ron Paul supporters waiting for the headline: “Everyone cheated, Ron Paul wins by default”, or maybe some Mitt Romney supporters: “Romney washes his hair”? I can’t think of one good headline for a T-shirt. And by the way, CNN.com charges $15 per shirt; if you’re really that desperate, make your own shirt and you can write whatever you want! (And put pretty pictures, too, from what I hear…)

Today is the last day of classes here at Case, meaning that in about one week (my last final is a week from tomorrow), I’ll be exactly 3/4 done with college. It’ll be nice to get out of this place and become a productive member of society again, and with any luck I’ll find a company who picks a name and sticks with it, unlike CWRUCaseCase Western Reserve University Case Western Reserve.

By the way, someone needs to teach the Democratic party how to do math, because between Obama and Clinton, someone is absolutely wrong when they say they’re winning. I’d say Obama has the edge right now, because of, you know, 5000 years of mathematical knowledge, but maybe when Hillary is president she’ll pass legislation banning advanced math so her win is justified.

In either case, you can’t have two candidates who are both winning. You can have candidate A beating candidate B, meaning candidate A is winning. You can have candidate B beating candidate A, meaning candidate B is winning. You can have a tie, meaning that no one is winning. Or, and I think this is the case lately, you can have candidate A and candidate B slapping each other like two middle schoolers over the stupidest little things, meaning they’re both losing.

Seriously, if you’re the Democratic party, how do you possibly justify not giving the nomination to Obama? He’s ahead. He’s going to stay ahead. Clinton can debate it all she wants, but in the end, under the system of rules agreed upon before the primaries began, Obama will be the winner.

I wonder why the Democratic party has superdelegates anyway. Not to pick sides or throw cheap shots, but superdelegates screams “Republican”. The Democratic party is all about equality in every aspect, almost to a point of socialism… except when it comes to picking a presidential nominee. If you were to read the beliefs of the Democratic party, with things as they are, it should say “The Democrats believe all people are created equal… except not all people.”

Thank God, the NFL Draft is over. Now ESPN can get back to covering sports.

Quote of the Day:

It’s one of the oldest laws in security: the strength of the security should only rely on the secrecy of the key, not the algorithm. We’ve known this forever, and yet people still do it. Don’t be one of those people.

David Singer, MATH 408 professor

Indians play the Yankees tonight, going for the series win against the Bronx Bombers – it’ll be Aaron Laffey against Mike Mussina, who’s not the same pitcher these days. Let’s get the win, guys… put aimable in his place.

And by the way, I just realized I used the word “slaves” in this entry. Thus, if Google Ads decides to try and sell you slaves a few days from now, I feel it is my duty to inform you that slavery is in fact illegal and you shouldn’t do it. I wonder what the penalty is for Google if those ads were ever run though? …